According to the Bank Secrecy Act, antimoney laundering provisions and certain regulations adopted by the Office of Foreign Assets Control, financial institutions must solicit and retain information regarding the financial transactions that they execute and their customers' sensitive and confidential personal information. Protecting this information from hackers who engage in cyber attacks is difficult and expensive. Should banks be held liable when they are the subject of cyber attacks and the information that they are required to collect and gather under federal laws and regulations is accessed by unauthorized third parties? If cybersecurity protections are expensive, should the banks be responsible for the full costs of protecting this information or should the government be required to subsidize banks' cybersecurity policies?

References:

FFIEC, Interagency Guidelines Establishing Information Security Standards, 2005 FFIEC, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 2005